Successful Install - but cannot login

Stack

  • Nextcloud version: 27,1,4,1
  • Operating system and version: Ubuntu 22.04.3 LTS
  • Apache or nginx version:2.4.52
  • PHP version: with Zend OPcache v8.1.2-1ubuntu2.14
  • MySQL: 8.0.35-0ubuntu0.22.04.1

Additional environment notes:

  • Brand new install on server. Plenty of space (new 8 TB drives)
  • All files inside web directory are www-data:www-data
  • Database install successful
  • Experienced server admin (not an “expert,” but experienced, since Ubuntu 10, have rebuilt stacks several times on both own hardware and in cloud).

Nextcloud install process used:

  • Installed NextCloud via downloading the latest.zip into the website directory and extracting, then making sure to chown -R www-data:www-data
  • Ran install script from web site, everything worked, database populated, etc.

The issue I am facing:

  • I have gone through the install process several times, blowing away the install, then starting over. The result is always the same: Admin login fails and I am sent back to
    https://---domain---/index.php/login?user=adminUser&direct=1
    -data/nextcloud.log is empty
  • IP is added to oc_bruteforce_attempts table
  • Used occ to clear bruteforce IP address
sudo -u www-data php occ security:bruteforce:reset {myIpAddress}

Sessions appear to be created in /var/lib/php

  • After stopping php FPM and Apache2, “/var/lib/php” is cleared out before restarting PHP FPM and Apache2.
  • Then attempt a log in to NextCloud, “/var/lib/php” is populated with 15 session files owned by www-data:www-data
  • This is a private server (not commercial), the only PHP sessions at the time are from NextCloud

The output of my config.php file

<?php
$CONFIG = array (
  'instanceid' => 'redacted',
  'passwordsalt' => 'redacted',
  'secret' => 'redacted',
  'trusted_domains' => 
  array (
    0 => 'www.domainNotDisclosedHere.com',
  ),
  'datadirectory' => '/datacloud/websites/www.domainNotDisclosedHere.com/web/data',
  'dbtype' => 'mysql',
  'version' => '27.1.4.1',
  'overwrite.cli.url' => 'https://www.domainNotDisclosedHere.com',
  'dbname' => 'dbnameNotDisclosedHere',
  'dbhost' => '127.0.0.1:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'redacted',
  'dbpassword' => 'redacted',
  'installed' => true,
);

The output of your Apache/nginx/system log in /var/log/____:

apache logs are clean (no errors)

PHP modules enabled

[PHP Modules]
bcmath
bz2
calendar
Core
ctype
curl
date
dom
exif
FFI
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
imagick
intl
json
libxml
mbstring
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
Phar
posix
readline
Reflection
session
shmop
SimpleXML
sockets
sodium
SPL
standard
sysvmsg
sysvsem
sysvshm
tokenizer
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

Apache2 modules enabled:

core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
filter_module (shared)
headers_module (shared)
mime_module (shared)
mpm_event_module (shared)
negotiation_module (shared)
proxy_module (shared)
proxy_connect_module (shared)
proxy_fcgi_module (shared)
proxy_html_module (shared)
proxy_http_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
unique_id_module (shared)
xml2enc_module (shared)

Hey,

thanks for providing all the information upfront!
It looks like you want to run Nextcloud in a subdirectory „/nextcloud“. You could try the following things

  1. Check if there’s a mismatch between http and https, so when you login, is it https and then you get redirected to http? (Or the other way round). You might need to overwrite the protocol, see Configuration Parameters — Nextcloud latest Administration Manual latest documentation

  2. Double check your apache alias configuration, see Installation on Linux — Nextcloud latest Administration Manual latest documentation

  3. Try to manually specify the Webroot, see Configuration Parameters — Nextcloud latest Administration Manual latest documentation

  4. Try to set the rewritebase and rebuild the htaccess file, see
    Configuration Parameters — Nextcloud latest Administration Manual latest documentation

1 Like

Thank you for the reply!

I have since re-attempted the install and I am now serving the next cloud files in the root of the site. So that is no longer an issue.

RE: 1. I am 100% confident that the connections are served via HTTPS, end to end. My apache config file will redirect any HTTP (port 80) connection to HTTPS (port 443). I also comply with SSLLabs testing, and the site scores an A+ on security.

RE 2. My config for the site (the relevant portion) is:

<Directory "/path-to-web-directory/web">
	Options +Multiviews +FollowSymLinks +Includes +Indexes
	AllowOverride all
	Require all granted
	<IfModule mod_dav.c>
		Dav off
	</IfModule>
</Directory>

RE 3. Webroot is now the root, so should not be an issue.

RE 4. I did set the rewrite base in the config.php file and it succeeded:

'overwrite.cli.url' => 'https://www.domainNotDisclosedHere.com/',
  'htaccess.RewriteBase' => '/',

then…

sudo -u www-data php occ maintenance:update:htaccess
.htaccess has been updated

then…

sudo -u www-data php occ integrity:check-core

No results came back, all is good.

Restart PHP FPM and Apache2.

No luck. Same result.

The result is always the same: Admin login fails and I am sent back to […]

Anything interesting in your network and general browser console sections?

data/nextcloud.log is empty

Maybe check your Apache log(s)?

Oh, and fpm log(s) as well.

Thank you!

Sadly, nothing.

Nothing in the logs or nothing that appears relevant?

Can you share the transactions that appear during the initial login page load and a login attempt?

Blockquote
Nothing in the logs or nothing that appears relevant?

Nothing in the Apache logs. On install, NextCloud is successful in creating all the MySQL tables, it has access to the database, no problem.

Blockquote
Can you share the transactions that appear during the initial login page load and a login attempt?

I would love to. Where can I find that, because…

/data/nextcloud.log

is empty.

BTW, the site has already been configured with a Let’s Encrypt cert before installing NextCloud. And that cert is valid and working. So I don’t see any need to generate a new cert via NextCloud. However, I see “rootcerts.crt”

/data/files_external/rootcerts.crt

Is this any concern?

Finally, all files and directories are owned by www-data:www-data and file permissions are 664, folders are 775, but with the SIG, so 2775.

From the sounds of it you’re terminating HTTPS directly on your Apache server and not using a proxy, correct?

Your web server (or reverse proxy but you haven’t indicating your using one) generates its own logs. I’m suggesting you look at those logs.

Blockquote
From the sounds of it you’re terminating HTTPS directly on your Apache server and not using a proxy, correct?

Correct! The following Apache mods are in place. But the only actual proxy use is for mod_jk, which only proxies specific file extensions to Tomcat/Java. Otherwise, no proxy use.

proxy_module (shared)
proxy_connect_module (shared)
proxy_fcgi_module (shared)
proxy_html_module (shared)
proxy_http_module (shared)

Blockquote
Your web server (or reverse proxy but you haven’t indicating your using one) generates its own logs. I’m suggesting you look at those logs.

Correct again. Each virtual host has its own set of logs.

Just to make sure I am giving a clean sample, I cleared the logs and tried to log in, here are the results with my domain name redacted and my IP redacted (showing 0.0.0.0):


www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:47 -0500] "POST /login HTTP/1.1" 303 7028 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:48 -0500] "GET /login?user=domain-not-disclosed&direct=1 HTTP/1.1" 200 7349 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:49 -0500] "GET /apps/theming/manifest?v=b6589fc6 HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:49 -0500] "GET /apps/theming/theme/default.css?plain=1&v=b6589fc6 HTTP/1.1" 200 7412 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:49 -0500] "GET /apps/theming/theme/light.css?plain=0&v=b6589fc6 HTTP/1.1" 200 7431 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:49 -0500] "GET /apps/theming/theme/light.css?plain=1&v=b6589fc6 HTTP/1.1" 200 7412 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:49 -0500] "GET /js/core/merged-template-prepend.js?v=211e7a1b-0 HTTP/1.1" 200 9584 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:49 -0500] "GET /apps/theming/theme/dark.css?plain=0&v=b6589fc6 HTTP/1.1" 200 7424 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:49 -0500] "GET /apps/theming/theme/light-highcontrast.css?plain=0&v=b6589fc6 HTTP/1.1" 200 2232 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:49 -0500] "GET /apps/theming/theme/dark-highcontrast.css?plain=0&v=b6589fc6 HTTP/1.1" 200 2256 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:49 -0500] "GET /apps/theming/theme/opendyslexic.css?plain=0&v=b6589fc6 HTTP/1.1" 200 1473 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:49 -0500] "GET /cron.php HTTP/1.1" 200 1182 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:49 -0500] "GET /apps/theming/theme/dark.css?plain=1&v=b6589fc6 HTTP/1.1" 200 2144 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:50 -0500] "GET /apps/theming/theme/light-highcontrast.css?plain=1&v=b6589fc6 HTTP/1.1" 200 2212 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"
www.domain-not-disclosed.com:443 0.0.0.0 - - [11/Dec/2023:15:54:50 -0500] "GET /apps/theming/theme/dark-highcontrast.css?plain=1&v=b6589fc6 HTTP/1.1" 200 2235 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15"

All requests result in a successful GET.

Sample of the current Apache access.ssl log for the site cannot be provided because it is empty - no errors.

It really just looks like the standard username/password isn’t right behavior.

In your browser console you can check what’s being sent (supposedly) by your browser if you look at the Request under Network for the POST /login transaction.

An invalid login is also logged:

{“reqId”:“Ux9JjNa6W1dAq6W5pbc7”,“level”:2,“time”:“2023-12-11T21:08:41+00:00”,“remoteAddr”:“192.168.x.y”,“user”:“–”,“app”:“no app in context”,“method”:“POST”,“url”:“/login”,“message”:“Login failed: slfjsaf (Remote IP: 192.168.x.y)”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/ZZZ.0”,“version”:“27.1.4.1”,“data”:,“id”:“65777a878254b”}

I find it kind of hard to believe that your Nextcloud log file (which should be at /datacloud/websites/www.domainNotDisclosedHere.com/web/data/nextcloud.log from your provided config.php is entirely empty).

What happens if you turn up your loglevel to something aggressive like 0 (“debug)”?

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html

Have you tried connecting from a different browser or device? Maybe a browser extension?

I’ve tried several browsers. And two separate devices. Keep in mind, I have blown away and reinstalled several times and the result is always the same. I am using the same UserName and PW each time, double checking before entering. And during setup, everything is going as it should (database tables are added, data is entered).

And on every single attempt to log in, an entry is made in oc_bruteforce_attempts which is really concerning. No reason that should be happening.

Data log is 100% empty

/datacloud/websites/www.domainNotDisclosedHere.com/web/data/nextcloud.log

Question: what should the permissions be for the package everything in the NextCloud root? Right now all files and directories are owned by www-data:www-data and file permissions are 664, folders are 775, but with the SIG, so 2775.

Also, how should MySQL be storing the PW’s? At the moment its set for Native MySQL Authentication even though its version 8.1. And it must be valid, otherwise, it would not have been able to build the tables in MySQL nor add entries to the oc_bruteforce_attempts table every time I try to log in.

I have even used

sudo -u www-data php occ  user:resetpassword {myAdminUserNameForNC}

to reset the password and the result is the same.

Hi derrick,

Do you have the IP/Domain you are using to access NC, added to the Trusted Domains in the config.php?

Also here are the permissions, I use in my installs.

\find /var/www/nextcloud/ -type d -exec \chmod 750 {} \;
\find /var/www/nextcloud/ -type f -exec \chmod 640 {} \;

Sebastian

Blockquote
Do you have the IP/Domain you are using to access NC, added to the Trusted Domains in the config.php?

Thank you for asking.

Yes. And…

sudo -u www-data php occ config:system:get trusted_domains

confirms it.

Can you try creating a new user via occ with a simple username/password, something like test/test and try if login works then?

Great idea!

Did that just now. Same result, redirected to log in. Every time.

https://www.mydomain-site.com/login?user=test&direct=1

Hey,

Make sure the php sessions folder has the correct permissions. I’ve had this issue with the login loop.

Sebastian

Blockquote
Make sure the php sessions folder has the correct permissions. I’ve had this issue with the login loop.

Thanks for the help!

All session files are being created with 0600 and www-data:www-data

I also have other PHP applications running and using the same session directory. Doesn’t seem to be a problem.

However, each attempt to login to NC results in multiple new session files in /var/lib/php/sessions and each one is exactly 420 bytes. But other PHP apps have no problem writing to and reading the sessions and have much larger session files.

UPDATE: To make sure PHP can access sessions (in addition to other PHP apps continuing to write and read session files), I change the location of the PHP session files to /tmp/php/session/ but did not create the /php/sessions directory tree. Upon restarting Apache and PHP, the PHP sites complained and threw an error. I then tried NC and it wrote the error to the /data/nextcloud.log as it should.

I have changed PHP sessions back to /var/lib/php/sessions and all the PHP apps are working again without complaint. Expect NC it still stuck the login loop.

So session data is being written and read by PHP. Yet, NC is creating about 30 session files for each attempted login at 420 bytes each.

So session data is being written and read by PHP. Yet, NC is creating about 30 session files for each attempted login at 420 bytes each.

This is your clue then, this should NOT be happening. Should only be one session per user. But it sounds like its creating a new session for every file request.

I had this issue before… But for the life of me I can not remember what the fix was, the best clue I can give you is that it was a missing folder / permissions with php-fpm

2 Likes

OK, finally taking a look at this. In and out all day and forgot to check on this.

While everything I can see is pointing to the PHP sessions being created and accessed (especially by other PHP apps), that could be the issue, I’m just not sure how to solve it. Here is the POST result from trying to log in:

HEADERS
Status
303
See Other
VersionHTTP/1.1
Transferred7.59 kB (17.04 kB size)
Referrer Policyno-referrer
Request PriorityHighest
DNS ResolutionDNS over HTTPS
RESPONSE HEADERS

Cache-Control
	no-cache, no-store, must-revalidate
Cache-Control
	private, max-age=0, no-store, no-cache, must-revalidate, proxy-revalidate
Connection
	Keep-Alive
Content-Length
	0
Content-Security-Policy
	default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
Content-Type
	text/html; charset=UTF-8
Date
	Tue, 12 Dec 2023 01:32:38 GMT
Expires
	Thu, 19 Nov 1981 08:52:00 GMT
Feature-Policy
	autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
Keep-Alive
	timeout=15, max=100
Location
	/login?user=REDACTED&direct=1
Pragma
	no-cache
Referrer-Policy
	no-referrer
Server
	Apache
Set-Cookie
	nc_username=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; secure; HttpOnly
Set-Cookie
	nc_token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; secure; HttpOnly
Set-Cookie
	nc_session_id=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; secure; HttpOnly
Set-Cookie
	nc_username=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
Set-Cookie
	nc_token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
Set-Cookie
	nc_session_id=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
Set-Cookie
	oc8wcnuvpkjl=nq0998ai909gpb7di9obed0ed7; path=/; domain=1; secure; HttpOnly; SameSite=Lax
Strict-Transport-Security
	max-age=63072000; includeSubDomains; preload
X-Content-Type-Options
	nosniff
X-Frame-Options
	SAMEORIGIN
X-Permitted-Cross-Domain-Policies
	none
X-Request-Id
	ZXe4Ntd_MdJl5-Tgxrz0BgAAAAU
X-Robots-Tag
	noindex, nofollow
X-XSS-Protection
	1; mode=block

Thank you!

So I can dig from there and if you happen to remember, please do post! For now, here is some info on my PHP settings.

I just changed session.cache_limiter = nocache to session.cache_limiter = private_no_expire - but it had no effect.

EDIT: SOME OF THE BELOW CONFIG WAS WRONG. Correct config is now shown below

session.auto_start	Off	Off
session.cache_expire	180	180
session.cache_limiter	private_no_expire	private_no_expire
session.cookie_domain	no value	no value
session.cookie_httponly	1	1
session.cookie_lifetime	0	0
session.cookie_path	/	/
session.cookie_samesite	Strict	Strict
session.cookie_secure	1	1
session.gc_divisor	1000	1000
session.gc_maxlifetime	14400	14400
session.gc_probability	0	0
session.lazy_write	On	On
session.name	PHPSESSID	PHPSESSID
session.referer_check	no value	no value
session.save_handler	files	files
session.save_path	/var/lib/php/sessions	/var/lib/php/sessions
session.serialize_handler	php	php
session.sid_bits_per_character	5	5
session.sid_length	26	26
session.upload_progress.cleanup	On	On
session.upload_progress.enabled	On	On
session.upload_progress.freq	1%	1%
session.upload_progress.min_freq	1	1
session.upload_progress.name	PHP_SESSION_UPLOAD_PROGRESS	PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix	upload_progress_	upload_progress_
session.use_cookies	1	1
session.use_only_cookies	1	1
session.use_strict_mode	1	1
session.use_trans_sid	0	0